Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Linux kernel developers. This is a kernel-level issue.
Once the patches get into the Linux releases, it will get patched automatically here, too.
Openwrt/LEDE is a Linux after all.
The need to backport the various kernel and toolchain fixes to the older versions used by LEDE will delay the process somewhat and the toolchain patches will force us to recompile the entire stable release which will take between 7 to 10 days after preparing the source tree.
Sure but from what I read only Linux 4.15 is receiving patches. Patches for Linux 4.14.1 are being backported, however LEDE-17.01 is running on Linux 4.4. I don't think it will get patches as automatically as you say.
Second thing. Which CPU models are actually affected?
I think the IPQ806x is and the ones based on Marvell 88F6820 as affected too but what about WR1043NDv4 which is QCA9563.
I don't think the patches should be activated on all routers. Only the ones that are affected so we don't unnecessary cripple performance.
Sure but from what I read only Linux 4.15 is receiving patches. Patches for
Linux 4.14.1 are being backported, however LEDE-17.01 is running on Linux 4.4.
I don't think it will get patches as automatically as you say.
the LEDE/OpenWRT developers would backport the fixes (or move to the new kernel)
Second thing. Which CPU models are actually affected?
At this point, everything that does speculative execution (pretty much
everything x86 or ARM at least) suffers from at least some of the problems
I think the IPQ806x is and the ones based on Marvell 88F6820 as affected too but what about WR1043NDv4 which is QCA9563.
I don't think the patches should be activated on all routers. Only the ones that are affected so we don't unnecessary cripple performance.
Well, it can be argued that embedded systems like this that aren't running
arbitrary code can get away without applying these changes at all (if you don't
have a hostile person running code on your CPU, there is no way for these things
to be exploited)
but these patches are to low-level processor specific code, so they will only
ever be applied to devices running the affected CPUs.
The kernel developers are still figuring out the patches, the performance
implications, and which CPUs are affected, so it's far too early to be asking
about LEDE getting the fixes.
There was a post a few hours ago talking about Intel possibly being about to
release updated microcode for their CPUs to address some of this (and the bad
performance implications of this, along with other options), which just shows
how dynamic the situation is right now.
Both kernel 4.4 and 4.9 release candidates with the KPTI fixes are out right now so there will be no need to backport specifically for LEDE. Once the kernels are updated to 4.4.110 and 4.9.75 respectively, the fix is in.
And as noted by dlang above the official security model for these routers is that there are no "users" so the impact is typically nonexistent. The security risk is to any CPU that allows arbitrary user code to run.
i am asking because i build the image myself. i usually checkout latest stable tag. currently, thats 17.01.4 - will there be a 17.01.5 which i can build?
Spectre hit most cpus no matter the architecture. Meltdown affect only intel and partialy amd/arm. Its here the most dangerous vulnerability from both. And meltdown workaround will probably consume way more cpu speed than spectre.
model name : ARMv7 Processor rev 1 (v7l)
BogoMIPS : 50.00
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x4
CPU part : 0xc09
CPU revision : 1
Hardware : Marvell Armada 380/385 (Device Tree)
So, i cannot find the ARM v7 in this list:
This means, that the cpu and so finally my router is not vulnerable, right?
I can't say 100%, but I would expect the answer is that it's not vulnerable.
The CPU features that cause these vulnerabilities are complex things that only
exist on fairly high-end CPUs. Thinks used in most routers (and the Raspberry Pi
level of devices) are too cheap and simple to have these features, and so are
not vulnerable.
The very high-end ARM chips do have these features, and are vulnerable, but I
very much doubt that any router has these chips.
Remember, to be explited, you have to allow the attacker to run their code on
your system. There is not much that happens in LEDE (especially a standard
router deployment) that does this.
But as @dlang noted susceptibility to the attack does not mean that the attack is actually feasible on your router. (Put differently, for the remote attacker to run the exploit code he would first need to get root on your router (many routers only have the root user, so getting a login is equivalent to becoming root), but at that point it is game-over already...
I have read, that the KPTI-patch from 4.14.11 was backported to 4.9.75 - so it will be soon in the development snapshots, i guess ... actual kernel there is 4.9.73 ...
4.9.75 has been committed to trunk but I'm not sure it actually enables the fix for x86. The x86 patches have been backported but there is a config flag that must be enabled (and is not part of the OpenWrt trunk commit).